Your first 30 days on AISEC
A step-by-step guide for security teams implementing their first compliance programme.
Days 1–7
Foundation
Day 1: Set up your organisation profile
- 1Set industry, company size, and primary cloud infrastructure
- 2Upload your company logo — it appears on all PDF exports
- 3Configure notification preferences for alerts and policy deadlines
- 4Choose your primary framework — start with ISO 27001 if unsure
Tip: Spend 20 minutes here. A complete profile ensures all AI-generated policies are tailored to your organisation.
Days 2–3: Invite your team
- 1Add security leads with the Admin role, reviewers as Manager, engineers as Analyst
- 2Set up SSO if on Enterprise tier — SAML 2.0 and OIDC both supported
- 3Enable SCIM auto-provisioning to sync users from Okta, Azure AD, or any SCIM IdP
- 4Assign named owners to Policy, Risk, and Evidence workflows before generating content
Tip: Compliance programmes work best when there is a named human accountable for each area — not a shared inbox.
Days 4–5: Generate your first policies
- 1Start with Information Security Policy, Access Control Policy, and Risk Management Policy
- 2Use AI generation — include custom instructions describing your industry and stack
- 3Review the draft carefully: adjust any sections that are too generic for your environment
- 4Submit for review, assign an approver, and publish once approved
AISEC generates a complete, audit-quality policy draft in under 90 seconds using Claude. You still review and approve every word — the AI handles the structure.
Days 6–7: Configure your baseline risk register
- 1Import existing risks from a spreadsheet using the CSV upload template
- 2Or create risks manually: name, owner, likelihood (1–5), impact (1–5), treatment
- 3Set target treatment dates for all HIGH and CRITICAL risks
- 4AISEC will automatically alert the risk owner when a treatment date passes
Tip: Even 10–15 well-described risks with clear owners is a better starting point than 100 vague entries from a template library.
Days 8–14
Policy Library
Building your ISO 27001 policy set
ISO 27001 certification typically requires 15–20 approved policies. Below is the standard set. Use AISEC's AI generation for each, then review and tailor to your organisation.
Policy attestation — get sign-off from every team member
- 1After a policy is approved, open the Attestation tab on the policy detail page
- 2Add all staff who should attest — including contractors via email address
- 3AISEC sends each person a magic-link email — no account required to attest
- 4Track sign-off rates in real time from the Attestation dashboard
Tip: Attestation records are stored with timestamps and are exportable for audit evidence. Run attestation campaigns within 48 hours of policy approval.
Days 15–21
Evidence & Controls
Setting up evidence connectors
Connect your tech stack to automate evidence collection. Each connector runs on a schedule and maps collected data to ISO 27001 Annex A controls automatically.
AWS Config
IAM role with SecurityAudit managed policy attached
Okta
API token with read:users, read:groups permissions
GitHub
GitHub App with repository metadata read access
Jira
API token with browse projects permission
Datadog
API + Application key with Monitors Read scope
Azure Defender
Service principal with Security Reader role
CrowdStrike
API client with Hosts:read and Vulnerabilities:read
Slack
Bot token with channels:read, users:read scopes
Mapping evidence to controls
- 1After collection runs, open Evidence Hub → Review queue
- 2AISEC AI pre-classifies each piece of evidence and suggests a control mapping
- 3Review and confirm or adjust each suggestion — the AI is right ~85% of the time
- 4Set an expiry date for recurring evidence (e.g. quarterly access reviews)
Tip: Prefer evidence that can be collected automatically on a recurring schedule. Manual uploads are fine for annual artefacts like penetration test reports.
Days 22–28
Gap Analysis & Reporting
Running your first gap analysis
- 1Navigate to Gap Analysis → select ISO 27001 → click Run analysis
- 2AISEC assesses all 93 Annex A controls against your evidence and policy records
- 3You receive an overall compliance score (0–100), controls breakdown, and remediation roadmap
- 4Aim for a score above 75 before scheduling your Stage 1 audit
The gap analysis runs in 2–3 minutes. Re-run it after each sprint of control improvements to track progress. Most customers move from 40 to 75+ in 6–8 weeks.
Stage 1 audit readiness checklist
Continuous compliance
Beyond 30 Days
Continuous compliance — staying audit-ready
- 1Monitoring rules run every 5 minutes and fire alerts for deviations
- 2Daily drift snapshots track control coverage over time
- 3Automated overdue treatment alerts — owners are notified before SLAs are breached
- 4EU AI Act obligation deadline alerts fire 30, 14, and 3 days before enforcement dates
Tip: The goal after Week 4 is to make compliance operational — not a once-a-year audit exercise. AISEC is designed to be your daily working environment.
Adding more frameworks
ISO 27001 evidence maps automatically to SOC 2 and GDPR controls. Once your ISO 27001 programme is running, adding a second framework takes days, not weeks.
SOC 2 Type II
~70% of ISO 27001 evidence already maps across
GDPR
Data processing records and DPIA templates included
HIPAA & SOX
Regulated industry controls mapped from your existing set
EU AI Act
AI system inventory syncs from existing tech stack data
Go to Settings → Frameworks and select the additional framework to activate cross-mapping.
Ready to turn this handbook into a live programme?
Create your free account and follow the steps above. Most teams reach ISO 27001 audit-readiness in 8–12 weeks.